First you need to make darn triple check extra sure that when you deploy it, you won't change it. It is a one-shot switch and whoever gets to your site is stuck with the configuration for days, weeeks, months. And you cannot tell them "my bad, try again".
Then if you have a sensible setup, you would redirect immediately to HTTPS anyway.
Sure, it protects you from some marginal risks (such as you not setting your cookies to secure mode) but then you have other problems and HSTS will bite you when you prod the security settings without a good plan.
First you need to make darn triple check extra sure that when you deploy it, you won't change it. It is a one-shot switch and whoever gets to your site is stuck with the configuration for days, weeeks, months. And you cannot tell them "my bad, try again".
Then if you have a sensible setup, you would redirect immediately to HTTPS anyway.
Sure, it protects you from some marginal risks (such as you not setting your cookies to secure mode) but then you have other problems and HSTS will bite you when you prod the security settings without a good plan.